Skill Trust Decision
Memory Workflow
Memory workflow skill has undeclared network exfiltration behavior: user memory content is sent to an external Ollama LLM service (scripts/store.py:extract_triples_via_llm) without disclosure in SKILL.md, combined with hardcoded Docker bridge IPs as service endpoints.
Most direct threat evidence
01
User stores memory content via MemoryStore tool Entry · scripts/store.py
02
store_memory() calls extract_triples_via_llm() with user content Escalation · scripts/store.py
03
Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox Impact · scripts/store.py
Why this conclusion was reached
3/4 dimensions flagged Block
Declared vs actual capability
2 undeclared or violating capabilities were inferred.
Block
Hidden execution and egress
1 high-risk artifacts or egress signals were extracted.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 3 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
User stores memory content via MemoryStore tool
Entry · scripts/store.py:110
02
store_memory() calls extract_triples_via_llm() with user content
Escalation · scripts/store.py:130
03
Content POSTed to OLLAMA_URL (default: host.docker.internal:11434) for LLM processing — exfiltrated outside skill sandbox
Impact · scripts/store.py:94
04
get_embedding() sends same content to EMBEDDING_URL (default: 172.17.0.1:18779)
Impact · scripts/store.py:170
What drove the risk score up
Undeclared network exfiltration +25
extract_triples_via_llm() sends user memory content to OLLAMA_URL (default host.docker.internal:11434) — not declared in SKILL.md
Hardcoded Docker bridge IPs +15
config.py hardcodes 172.17.0.1 for rerank (18778) and embedding (18779) services — suspicious default targets
Undeclared embedding service call +15
get_embedding() POSTs content to external embedding endpoint — not mentioned in SKILL.md tool descriptions
Most important evidence
High Data Exfil
Undeclared LLM data transmission
extract_triples_via_llm() in store.py sends user memory content to an external Ollama LLM endpoint (OLLAMA_URL, defaulting to host.docker.internal:11434) for entity/relation extraction. This external network call is not declared anywhere in SKILL.md, which only mentions 'Ollama (可选)' as a KG dependency without explaining that user content is transmitted.
scripts/store.py:94 Add explicit documentation in SKILL.md stating that user memory content may be sent to a user-configured Ollama endpoint for knowledge graph extraction. Alternatively, remove this feature and rely on rule-based extraction only.
High Doc Mismatch
SKILL.md hides external service dependencies
SKILL.md claims '三层存储架构' with file + FTS5 + KG + Milvus, but omits that KG extraction and embedding both require external HTTP calls. The embedding call to bge-m3 at 172.17.0.1:18779 sends all stored content over the network.
SKILL.md:1 Document that Ollama and embedding services are external dependencies that receive user data over HTTP.
High Sensitive Access
Hardcoded Docker bridge IP addresses as default service endpoints
config.py hardcodes 172.17.0.1 (the default Docker bridge gateway) as the default endpoint for rerank (18778) and embedding (18779) services. This is a suspicious default target as it enables exfiltration to the Docker host if those ports are open, without requiring explicit user configuration.
scripts/config.py:12 Remove hardcoded IPs as defaults. Default to localhost or a service unavailable message, requiring explicit configuration for network services.
Medium Data Exfil
Embedding API call sends all content to external service
get_embedding() in store.py POSTs all user memory content to EMBEDDING_URL (defaulting to http://172.17.0.1:18779/v1/embeddings) for vectorization before Milvus storage. This network call is not declared in the tool descriptions.
scripts/store.py:170 Document the embedding API call in SKILL.md or remove the embedding feature, relying on FTS5 only.
Medium Priv Escalation
Undeclared shell execution via subprocess
BaseMemoryTool._run_op() uses subprocess.run() to execute memory_ops.py with arbitrary command arguments. This shell execution pattern is not declared in SKILL.md — only the tool names and descriptions are listed. Additionally, save_session.py independently uses subprocess without being exposed as a declared tool.
scripts/tools.py:48 Document that tools use subprocess internally, or refactor to import modules directly without shell invocation.
Low Doc Mismatch
SKILL.md installation modifies AGENTS.md with shell commands
SKILL.md instructs users to add bash command blocks to ~/.openclaw/workspace/AGENTS.md that pipe heredocs into python3 scripts. This is an unusual installation pattern that injects shell execution instructions into agent configuration.
SKILL.md:12 Use a standard registration mechanism (e.g., a Python setup function) instead of modifying AGENTS.md with shell command strings.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
scripts/store.py: writes to ~/.openclaw/workspace/memory-workflow-data/ Network Block
Declared NONE
→ Inferred WRITE
scripts/store.py:94 — sends content to OLLAMA_URL via urllib; scripts/store.py:170 — POSTs to EMBEDDING_URL Shell Block
Declared NONE
→ Inferred WRITE
scripts/tools.py:48 — subprocess.run executes memory_ops.py; scripts/save_session.py:35 — subprocess.run Environment Pass
Declared READ
→ Inferred READ
scripts/config.py:14-17, store.py:32-34 — reads OLLAMA_URL, MILVUS_HOST, etc. Skill Invoke Pass
Declared WRITE
→ Inferred WRITE
SKILL.md declares 6 tool interfaces Suspicious artifacts and egress
High IP Address
172.17.0.1 scripts/config.py:12
Medium External URL
http://172.17.0.1:18778 scripts/config.py:12
Medium External URL
http://172.17.0.1:18779/v1/embeddings scripts/store.py:33
Medium External URL
http://host.docker.internal:11434 scripts/store.py:37
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| pymilvus | unpinned | pip | No | Used for Milvus vector storage, imported conditionally |
| jieba | unpinned | pip | No | Chinese segmentation, imported conditionally |
| urllib.request | stdlib | Python | No | Used for HTTP calls to Ollama and embedding API |
File composition
9 files · 1648 lines
Python 7 files · 1492 linesMarkdown 2 files · 156 lines
Files of concern · 4
scripts/store.py Undeclared LLM data transmission · Embedding API call sends all content to external service · http://172.17.0.1:18779/v1/embeddings · http://host.docker.internal:11434
scripts/tools.py Undeclared shell execution via subprocess
SKILL.md SKILL.md hides external service dependencies · SKILL.md installation modifies AGENTS.md with shell commands
scripts/config.py Hardcoded Docker bridge IP addresses as default service endpoints · 172.17.0.1 · http://172.17.0.1:18778
Other files · memory_ops.py · fts5.py · search.py · save_session.py · README.md
Security positives
No credential theft indicators — skill does not access ~/.ssh, ~/.aws, or .env files
No obfuscation detected — no base64-encoded strings or anti-analysis patterns
No reverse shell or C2 infrastructure — no suspicious outbound connections beyond documented API calls
File operations are scoped to a dedicated memory data directory (~/.openclaw/workspace/memory-workflow-data/)
Version pinning available for external dependencies (pymilvus in requirements would show versions)
FTS5 and file storage work without external dependencies, matching documentation